npm - @dianzhong/create-harness-app - Versions diffs - 0.1.0 - Mend

@dianzhong/create-harness-app 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

package/templates/harness/minimal/.claude/hooks/guard-tool.cjs ADDED Viewed

@@ -0,0 +1,234 @@
+#!/usr/bin/env node
+/**
+ * PreToolUse 安全守护 hook
+ *
+ * 职责：在 Claude Code 执行任何工具之前拦截，阻断危险命令和敏感文件访问。
+ * 覆盖 Bash/Read/Write/Edit/Grep/Agent 等工具调用。
+ * 不改写任何文件，只返回 continue/deny 决策。
+ */
+/* eslint-disable @typescript-eslint/no-require-imports */
+const fs = require('node:fs')
+const path = require('node:path')
+// 从 stdin 读取 Claude Code 传入的 JSON hook payload
+function readJsonStdin() {
+  const input = fs.readFileSync(0, 'utf8').trim()
+  if (!input) {
+    return {}
+  }
+  try {
+    return JSON.parse(input)
+  } catch {
+    return {}
+  }
+}
+// 构造拦截响应：阻止执行并附带原因
+function deny(reason) {
+  process.stdout.write(
+    JSON.stringify({
+      continue: false,
+      stopReason: reason,
+      permissionDecision: 'deny',
+      permissionDecisionReason: reason,
+    }),
+  )
+}
+// 构造放行响应：允许执行，抑制输出
+function allow() {
+  process.stdout.write(JSON.stringify({ continue: true, suppressOutput: true }))
+}
+// 统一路径格式：Windows 反斜线 → 正斜线，去除两端引号
+function normalizePath(value) {
+  return String(value ?? '')
+    .replaceAll('\\', '/')
+    .replace(/^["']|["']$/g, '')
+}
+// 从嵌套的 toolInput 对象中递归收集所有含路径含义的字符串值
+function collectPaths(value, results = []) {
+  if (!value) {
+    return results
+  }
+  if (typeof value === 'string') {
+    results.push(value)
+    return results
+  }
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      collectPaths(item, results)
+    }
+    return results
+  }
+  if (typeof value === 'object') {
+    for (const [key, item] of Object.entries(value)) {
+      if (/path|file|filename/i.test(key) && typeof item === 'string') {
+        results.push(item)
+      } else {
+        collectPaths(item, results)
+      }
+    }
+  }
+  return results
+}
+// 判断文件路径是否为密钥/凭证等敏感文件（允许 .env.example）
+function isSensitivePath(filePath) {
+  const normalized = normalizePath(filePath)
+  const base = path.posix.basename(normalized)
+  if (!normalized) {
+    return false
+  }
+  if (base === '.env.example') {
+    return false
+  }
+  return (
+    /^\.env($|\.)/.test(base) ||
+    /(^|\/)\.env($|\.)/.test(normalized) ||
+    /(^|\/)secrets?\//i.test(normalized) ||
+    /(^|\/)(id_rsa|id_ed25519|known_hosts)$/i.test(normalized) ||
+    /\.(pem|key|p12|pfx|crt|cer)$/i.test(base)
+  )
+}
+// 判断 glob pattern 是否匹配敏感文件模式
+function isSensitiveGlob(glob) {
+  const normalized = String(glob ?? '').replaceAll('\\', '/')
+  return (
+    /^\.env($|\*)/.test(normalized) ||
+    /(^|\/)\.env($|\*)/.test(normalized) ||
+    /(^|\/)secrets?\//i.test(normalized) ||
+    /\.(pem|key|p12|pfx|crt|cer)$/i.test(normalized)
+  )
+}
+// 从 shell 命令文本中提取可能的路径片段。不能只按空白切分：
+// cat<.env.production、node -e "readFileSync('.env')" 这类写法都不会产生独立空白 token。
+function collectCommandPathCandidates(command) {
+  return String(command ?? '')
+    .replaceAll('\\', '/')
+    .split(/[\s"'`$;&|()<>,={}[\]]+/)
+    .map((token) => token.trim())
+    .filter(Boolean)
+}
+// 检测 Bash 命令是否包含危险操作（破坏性 Git、递归删除、低级磁盘写入等）
+// commandStart 匹配命令起始位置：行首、管道/分号后，或环境变量赋值后
+function dangerousCommandReason(command) {
+  const commandStart = String.raw`(?:^|[;&|()])\s*(?:\w+=(?:"[^"]*"|'[^']*'|[^\s;|()]+)\s+)*`
+  const checks = [
+    [new RegExp(`${commandStart}git\\s+reset\\s+--hard\\b`, 'i'), 'Blocked destructive git reset.'],
+    [
+      new RegExp(`${commandStart}git\\s+reset\\s+--mixed\\s+HEAD\\b`, 'i'),
+      'Blocked destructive git reset.',
+    ],
+    [
+      new RegExp(`${commandStart}git\\s+push\\s+--force(?:-with-lease)?\\b`, 'i'),
+      'Blocked force push.',
+    ],
+    [
+      new RegExp(`${commandStart}git\\s+push\\s+\\S+\\s+--delete\\b`, 'i'),
+      'Blocked remote branch deletion.',
+    ],
+    [
+      new RegExp(`${commandStart}git\\s+push\\s+\\S+\\s+\\+\\S+\\b`, 'i'),
+      'Blocked force push via refspec.',
+    ],
+    [new RegExp(`${commandStart}git\\s+branch\\s+-D\\b`, 'i'), 'Blocked local branch deletion.'],
+    [new RegExp(`${commandStart}git\\s+stash\\s+(drop|clear)\\b`, 'i'), 'Blocked stash deletion.'],
+    [
+      new RegExp(`${commandStart}git\\s+checkout\\s+(?:--\\s+|\\.)`, 'i'),
+      'Blocked destructive git checkout.',
+    ],
+    [new RegExp(`${commandStart}git\\s+restore\\b`, 'i'), 'Blocked destructive git restore.'],
+    [
+      new RegExp(
+        `${commandStart}git\\s+clean\\s+(?=[^;&|\\n]*-[A-Za-z]*f)(?=[^;&|\\n]*-[A-Za-z]*d)`,
+        'i',
+      ),
+      'Blocked destructive git clean.',
+    ],
+    [
+      new RegExp(`${commandStart}rm\\s+(?=[^;&|\\n]*-[A-Za-z]*r)(?=[^;&|\\n]*-[A-Za-z]*f)`, 'i'),
+      'Blocked recursive force delete.',
+    ],
+    [new RegExp(`${commandStart}del\\s+\\/[fsq]\\b`, 'i'), 'Blocked destructive Windows delete.'],
+    [new RegExp(`${commandStart}rmdir\\s+\\/s\\b`, 'i'), 'Blocked recursive directory delete.'],
+    [
+      new RegExp(`${commandStart}Remove-Item\\b.*\\s-Recurse\\b.*\\s-Force\\b`, 'i'),
+      'Blocked recursive force delete.',
+    ],
+    [new RegExp(`${commandStart}dd\\s+\\b`, 'i'), 'Blocked low-level disk write command.'],
+  ]
+  for (const [pattern, reason] of checks) {
+    if (pattern.test(command)) {
+      return reason
+    }
+  }
+  return ''
+}
+// === 主逻辑 ===
+// 1. Bash 命令检查：先检测危险命令，再扫描命令中的敏感路径
+const payload = readJsonStdin()
+const toolName = payload.tool_name || payload.toolName || payload.tool || ''
+const toolInput = payload.tool_input || payload.toolInput || {}
+const command = String(toolInput.command || '')
+if (/bash/i.test(toolName) && command) {
+  const reason = dangerousCommandReason(command)
+  if (reason) {
+    deny(`${reason} Command: ${command.slice(0, 160)}`)
+    process.exit(0)
+  }
+  for (const token of collectCommandPathCandidates(command)) {
+    if (isSensitivePath(token)) {
+      deny(`Blocked command touching sensitive path: ${token}`)
+      process.exit(0)
+    }
+  }
+}
+// 2. 工具输入路径检查：递归收集所有路径参数，检测敏感文件
+const paths = collectPaths(toolInput).map(normalizePath)
+const sensitive = paths.find(isSensitivePath)
+if (sensitive) {
+  deny(`Blocked access to sensitive path: ${sensitive}`)
+  process.exit(0)
+}
+// 3. Grep 工具专项检查：glob pattern 和搜索路径中的敏感文件
+if (/grep/i.test(toolName)) {
+  const glob = String(toolInput.glob || '')
+  const grepPath = String(toolInput.path || '')
+  if (glob && isSensitiveGlob(glob)) {
+    deny(`Blocked Grep with sensitive glob pattern: ${glob}`)
+    process.exit(0)
+  }
+  if (grepPath && isSensitivePath(grepPath)) {
+    deny(`Blocked Grep in sensitive path: ${grepPath}`)
+    process.exit(0)
+  }
+}
+allow()

package/templates/harness/minimal/.claude/hooks/quality-gate.cjs ADDED Viewed

@@ -0,0 +1,135 @@
+#!/usr/bin/env node
+/**
+ * Stop hook
+ *
+ * 职责：
+ * - git 有变更时先自动格式化，再运行 type-check / lint / harness:check。
+ *   失败时阻断 agent 停止，成功时放行并通知。
+ *   注意：不自动暂存（不 git add），由人工决定暂存与提交。
+ */
+/* eslint-disable @typescript-eslint/no-require-imports */
+const { spawnSync } = require('node:child_process')
+const dryRun = process.argv.includes('--dry-run') || process.env.HARNESS_QUALITY_DRY_RUN === '1'
+function writeJson(value) {
+  process.stdout.write(JSON.stringify(value))
+}
+// 跨平台 shell 参数转义：安全字符直接通过，POSIX 用单引号，Windows 用双引号
+function shellQuote(value) {
+  const text = String(value)
+  if (!/[^\w@%+=:,./-]/.test(text)) {
+    return text
+  }
+  if (process.platform === 'win32') {
+    return `"${text.replaceAll('"', '\\"')}"`
+  }
+  return `'${text.replaceAll("'", "'\\''")}'`
+}
+// 跨平台执行 shell 命令：Windows 用 cmd.exe，POSIX 用 sh -lc
+function runShell(commandLine, timeout = 180000) {
+  if (process.platform === 'win32') {
+    return spawnSync('cmd.exe', ['/d', '/s', '/c', commandLine], {
+      cwd: process.cwd(),
+      encoding: 'utf8',
+      shell: false,
+      timeout,
+    })
+  }
+  return spawnSync('sh', ['-lc', commandLine], {
+    cwd: process.cwd(),
+    encoding: 'utf8',
+    shell: false,
+    timeout,
+  })
+}
+// 封装命令执行，支持 --dry-run 模式跳过实际执行
+function run(command, args) {
+  if (dryRun) {
+    return {
+      command: [command, ...args].join(' '),
+      status: 0,
+      stdout: '[dry-run] skipped command execution',
+      stderr: '',
+      error: '',
+    }
+  }
+  const commandLine = [command, ...args].map(shellQuote).join(' ')
+  const result = runShell(commandLine)
+  return {
+    command: [command, ...args].join(' '),
+    status: result.status ?? 1,
+    stdout: result.stdout || '',
+    stderr: result.stderr || '',
+    error: result.error ? result.error.message : '',
+  }
+}
+// 获取 git 变更文件列表（porcelain 格式）
+function gitStatus() {
+  const result = runShell('git status --porcelain --untracked-files=all', 15000)
+  if (result.status !== 0) {
+    return null
+  }
+  return result.stdout
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean)
+}
+// Stop 模式：无变更时跳过门禁，否则运行完整的质量检查流水线
+const changed = gitStatus()
+if (changed && changed.length === 0) {
+  writeJson({
+    continue: true,
+    systemMessage: 'Harness 质量门禁跳过：git 未检测到变更文件。',
+  })
+  process.exit(0)
+}
+// Stop 收尾阶段允许自动格式化（本项目唯一允许自动格式化的 hook）
+const formatResult = run('pnpm', ['format'])
+const commands = [
+  ['pnpm', ['type-check']],
+  ['pnpm', ['lint']],
+  ['pnpm', ['harness:check']],
+]
+const results = [formatResult, ...commands.map(([command, args]) => run(command, args))]
+const failed = results.filter((result) => result.status !== 0)
+if (failed.length > 0) {
+  const details = failed
+    .map((result) => {
+      const output = `${result.stdout}\n${result.stderr}\n${result.error}`.trim()
+      return `命令失败：${result.command}\n${output.slice(-2400)}`
+    })
+    .join('\n\n')
+  writeJson({
+    continue: false,
+    stopReason: `Harness 质量门禁未通过。请修复以下问题后再继续。\n\n${details}`,
+  })
+  process.exit(0)
+}
+writeJson({
+  continue: true,
+  systemMessage: `Harness 质量门禁通过。变更文件数：${
+    changed ? changed.length : 0
+  }。已通过的检查：pnpm format（自动修复）、pnpm type-check、pnpm lint、pnpm harness:check。`,
+})

package/templates/harness/minimal/.claude/settings.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-settings.json",
+  "permissions": {
+    "allow": [
+      "Read", "Glob", "Grep",
+      "Bash(git status*)", "Bash(git diff*)", "Bash(git log*)", "Bash(git show*)",
+      "Bash(pnpm *)", "Bash(node *)"
+    ],
+    "deny": [
+      "Read(.env*)", "Read(**/.env*)",
+      "Read(*.pem)", "Read(**/*.pem)", "Read(*.key)", "Read(**/*.key)",
+      "Bash(git reset --hard*)", "Bash(git push --force*)",
+      "Bash(rm -rf*)", "Bash(git commit*)"
+    ]
+  },
+  "hooks": {
+    "PreToolUse": [{
+      "matcher": "Bash|Read|Write|Edit|MultiEdit|Grep|Agent",
+      "hooks": [{ "type": "command", "command": "node .claude/hooks/guard-tool.cjs", "timeout": 10 }]
+    }],
+    "Stop": [{
+      "matcher": ".*",
+      "hooks": [{ "type": "command", "command": "node .claude/hooks/quality-gate.cjs stop", "timeout": 300 }]
+    }]
+  },
+  "disableBypassPermissionsMode": "disable"
+}

package/templates/harness/minimal/CLAUDE.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Claude Code 项目指南
+本项目使用最小 harness 配置：安全守护（guard-tool）+ 质量门禁（quality-gate）。
+## 项目事实
+- 技术栈：Vue 3、TypeScript、Vite
+- 包管理器：pnpm
+## 质量门禁
+- 代码变更运行 `pnpm check`（type-check + lint + format:check）。
+- 不读取、不写入密钥文件。
+- 不自动提交。